<?php
/**
* @license SILK SOFTWARE HOUSE SP Z O O
*/
namespace App\Security;
use App\Entity\Customer;
use App\Entity\Device;
use App\Entity\User;
use App\Repository\LicenseRepository;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
/**
* Class DeviceVoter.
*/
class DeviceVoter extends Voter
{
const SHOW = 'show';
const NEW = 'new';
const EDIT = 'edit';
const DELETE = 'delete';
/**
* License repository.
*
* @var LicenseRepository
*/
private $licenseRepository;
/**
* DeviceVoter constructor.
*
* @param LicenseRepository $licenseRepository
*/
public function __construct(LicenseRepository $licenseRepository)
{
$this->licenseRepository = $licenseRepository;
}
/**
* Supports.
*
* @param string $attribute
* @param object $subject
*
* @return bool
*/
protected function supports($attribute, $subject)
{
// if the attribute isn't one we support, return false
if (!in_array($attribute, [self::SHOW, self::NEW, self::EDIT, self::DELETE])) {
return false;
}
if ($subject && !$subject instanceof Device) {
return false;
}
return true;
}
/**
* Vote on attribute.
*
* @param string $attribute
* @param object $subject
* @param TokenInterface $token
*
* @return bool
*/
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof User) {
// the user must be logged in; if not, deny access
return false;
}
if (!$subject instanceof Device && self::NEW !== $attribute) {
return false;
}
// you know $subject is a Device object, thanks to `supports()`
/** @var Device $device */
$device = $subject;
if (in_array($attribute, [self::NEW, self::DELETE])) {
return $user->hasRole('ROLE_ADMIN');
}
if (self::EDIT === $attribute) {
return $this->canEdit($device, $user);
}
return $this->canView($device, $user);
}
/**
* Can view.
*
* @param Device $device
* @param User $user
*
* @return bool
*/
private function canView(Device $device, User $user)
{
if ($user->hasRole('ROLE_ADMIN') || $this->canEdit($device, $user)) {
return true;
}
$deviceHasCustomersMeasurement = $this->hasMeasurement($device, $user->getCustomer());
return null !== $this->licenseRepository->findOneBy([
'device' => $device,
'customer' => $user->getActiveCustomer(),
]) || $deviceHasCustomersMeasurement;
}
/**
* Can edit.
*
* @param Device $device
* @param User $user
*
* @return bool
*/
private function canEdit(Device $device, User $user)
{
if ($user->hasRole('ROLE_ADMIN')) {
return true;
}
$deviceCustomer = $device->getCustomer();
$userCustomer = $user->getActiveCustomer();
return ($deviceCustomer && $userCustomer && $deviceCustomer->getId() === $userCustomer->getId());
}
/**
* @param Device $device
* @param Customer|null $customer
*
* @return bool
*/
private function hasMeasurement(Device $device, ?Customer $customer): bool
{
foreach ($device->getMeasurements() ?? [] as $measurement) {
return $measurement->getCustomer() === $customer;
}
return false;
}
}